CVE-2026-52953
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix oops due to out of scope access Below oops triggers when kill QEMU process: Oops: general protection fault, probably for non-canonical address 0x7fffffff844eaaa7: 0000 [#1] SMP NOPTI Call Trace: <TASK> do_raw_spin_lock+0xaa/0xc0 _raw_spin_lock_irqsave+0x21/0x40 domain_remove_dev_pasid+0x52/0x160 intel_nested_set_dev_pasid+0x1b9/0x1e0 __iommu_set_group_pasid+0x56/0x120 pci_dev_reset_iommu_done+0xe3/0x180 pcie_flr+0x65/0x160 __pci_reset_function_locked+0x5b/0x120 vfio_pci_core_close_device+0x63/0xe0 [vfio_pci_core] vfio_df_close+0x4f/0xa0 vfio_df_unbind_iommufd+0x2d/0x60 vfio_device_fops_release+0x3e/0x40 __fput+0xe5/0x2c0 task_work_run+0x58/0xa0 do_exit+0x2c8/0x600 do_group_exit+0x2f/0xa0 get_signal+0x863/0x8c0 arch_do_signal_or_restart+0x24/0x100 exit_to_user_mode_loop+0x87/0x380 do_syscall_64+0x2ff/0x11e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The global static blocked domain is a dummy domain without corresponding dmar_domain structure, accessing beyond iommu_domain structure triggers oops easily. Fix it by return early in domain_remove_dev_pasid() like identity domain.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52953
EUVD
EUVD-2026-38821
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's iommu/vt-d component. It causes a general protection fault (an 'oops') when a QEMU process is killed. The issue arises because the code accesses memory beyond the valid iommu_domain structure, specifically when handling a global static blocked domain that is a dummy domain without a corresponding dmar_domain structure. This out-of-scope access triggers the fault.

The fix involves returning early in the domain_remove_dev_pasid() function to prevent accessing invalid memory, similar to how the identity domain is handled.

Impact Analysis

This vulnerability can cause a system crash or kernel oops when a QEMU process is terminated, potentially leading to system instability or downtime. Such crashes may disrupt services running on the affected Linux system, especially those relying on virtualization through QEMU.

Detection Guidance

This vulnerability manifests as a kernel oops (general protection fault) triggered when killing a QEMU process, related to out of scope access in the iommu/vt-d subsystem.

Detection involves monitoring kernel logs for oops messages similar to the following: "Oops: general protection fault, probably for non-canonical address ..." especially when terminating QEMU processes.

You can check kernel logs using commands such as:

  • dmesg | grep -i 'Oops'
  • journalctl -k | grep -i 'Oops'
  • journalctl -k | grep -i 'general protection fault'

Additionally, monitoring for crashes or abnormal termination of QEMU processes may help identify attempts to trigger this issue.

Mitigation Strategies

The vulnerability is fixed by an update to the Linux kernel that returns early in the domain_remove_dev_pasid() function to prevent out of scope access causing kernel oops.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid killing QEMU processes abruptly until the kernel is updated, as this action triggers the oops.
  • Monitor kernel logs for signs of this issue to respond quickly.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart